Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security //


08:05 AM
Larry Loeb
Larry Loeb
Larry Loeb

FBI Knocks Out VPNFilter Malware That Infected 500K Routers

The VPNFilter botnet malware spread to 500,000 globally before the FBI knocked it out late in the day on May 23. However, it's another skirmish in the cyberfight between Russia and Ukraine.

It's been a busy few days for a sophisticated piece of botnet malware dubbed VPNFilter.

First, the Secret Service of Ukraine issued a warning about a botnet that had taken over 500,000 routers and Network Attached Storage (NAS) devices, infecting them with some of the most sophisticated malware ever seen used in a botnet.

Then, Cisco Talos and Symantecissued a descriptive warning about the situation and the malware which two firms called VPNFilter. The botnet was seen growing, and exhibited curious behavior in that it seemed to be seeking Ukrainian hosts -- even though Talos found that it spread to 54 countries.

Finally, in a surprise move late May 23, journalist Kevin Paulson tweeted that the FBI had seized control of the ability of the malware to regenerate itself after a reboot was performed on the host. The feds were able to do this when a court gave it control of one of the domains that was used as an hard-coded emergency backup control server by the malware.

This allowed them to stop the Stage 2 and Stage 3 downloads from staring.

VPNFilter is a three-stage attack that allows persistence of infection by a first stage that reloads the malware after a reboot which normally will erase the malware. This is an extremely sophisticated technique that has only been seen once before in botnet malware.

The second stage has the main payload. This allows for file collection, command execution, data exfiltration, and device management. Worryingly, there is a destructive capability that can effectively "brick" the device if it receives a command from the attackers. It does this by overwriting a section of the device's firmware and then rebooting, which makes it unusable.

Stage 3 consists of plugins that work with the second stage.

There is another seemingly unique capability -- a packet sniffer for spying on traffic that is routed through the device. The sniffer can carry out the theft of website credentials, as well as the monitoring of Modbus SCADA protocols. There may be other modules for Stage 3 that have haven't been seen yet.

That Supervisory Control and Data Acquisition (SCADA) monitoring is the giveaway as to what this malware is all about. These modules are the gateways to the infrastructure of a country. The ability to cause these gateways to fail without recovery -- not to mention the routers the malware is hosted on -- would be devastating.

The sophistication and targeting of the malware makes it all but inevitable that a nation-state has created it. The recent Ukranian targeting, as well as the setup of a C&C server just for Ukranian sites, makes it probable that Russia is the originator. This follows previous attempts Russia made against Ukraine's infrastructure, according to the US Department of Homeland Security.

If a user finds the malware, Cisco found that rebooting will wipe Stage 2 and 3 but not Stage 1. Stage 1 can then reload Stages 2 and 3.

Stage 1 removal may require a hardware reset on the device which can also remove any stored configuration settings.

However, with the FBI taking control of the Stage 1 reload process, the back of the botnet has been broken. The threat to the Ukrainian infrastructure has been reduced greatly, unless Russia gets a second version out the door in short order. Even with the interdiction by the FBI, users need to remove all traces of the malware to be reasonably assured of safety from the current threat.

Symantec found the malware on the following devices:

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN

Netgear is also advising customers that -- in addition to applying the latest firmware updates and the always useful changing of default passwords -- they should ensure that remote management is turned off on their router. Remote management should be turned off by default and can only be turned on using the router's advanced settings.

This is state cyberwar, brought to the user level. Even though this particular skirmish seems to have been won by the "GoodGuys," simply having a commodity device like a router can make one a participant in it. Perhaps this will make those who think security is for someone else realize that if you aren't part of the solution -- you are definitely part of the problem.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
PUBLISHED: 2020-08-10
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Mes...